首页
社区
课程
招聘
[求助]DbgPrint打印UnicodeString竟然蓝屏?
发表于: 2009-3-13 00:31 10086

[求助]DbgPrint打印UnicodeString竟然蓝屏?

2009-3-13 00:31
10086
一段初学代码,功能是:驱动列举进程,将进程名加入到一个链表中,通过IOCTL传递到应用层中。在虚拟机的纯净Win2000、WinXP和Win2003中运行正常,但如果在这些系统中安装了卡巴斯基,加载驱动正常,应用层和驱动交互时立即蓝屏,偶尔也不蓝屏,但传递出来的进程名却是乱码。WinDbg分析情况如下:
★★★★★★★★★★★★★★★
 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {fe1e3e30, 0, 80507bb6, 0}
 
Could not read faulting driver name
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for safeboxkrnl.sys
Probably caused by : irp3.sys ( irp3!MyDeviceIoControl+b4 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: [COLOR=red]fe1e3e30[/COLOR], memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: [COLOR=red]80507bb6[/COLOR], If non-zero, the instruction address which referenced the bad memory
 address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
 
Could not read faulting driver name
READ_ADDRESS:  fe1e3e30 
[COLOR=blue]FAULTING_IP: [/COLOR]
[COLOR=blue]nt!_output+909[/COLOR]
[COLOR=blue]80507bb6 668b03          mov     ax,word ptr [ebx][/COLOR]
MM_INTERNAL_CODE:  0
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0x50
PROCESS_NAME:  irp3exe.exe
LAST_CONTROL_TRANSFER:  from 804fff32 to 80507bb6
STACK_TEXT:  
f282d41c 804fff32 f282d438 f7d8792c f282d6d8 [COLOR=blue]nt!_output+0x909[/COLOR]
f282d458 80500006 f282d494 00000200 f7d8792c nt!_vsnprintf+0x2f
f282d6b0 80500093 80500096 ffffffff 00000000 nt!vDbgPrintExWithPrefix+0x91
f282d6cc f7d87a74 f7d8792c e1ea26b8 e1ea26b0 nt!DbgPrint+0x1a
f282d70c 804e47f7 febf8030 83435cf0 806f12d0 irp3!MyDeviceIoControl+0xb4 [e:\mydriver\irp\3\sys\irp3.c @ 152]
f282d71c 80568f81 83435d60 fecd5028 83435cf0 nt!IopfCallDriver+0x31
f282d730 8057ba9f febf8030 83435cf0 fecd5028 nt!IopSynchronousServiceTail+0x70
f282d7d8 8058ffe3 000007e8 00000000 00000000 nt!IopXxxControlFile+0x611
f282d80c f5b54f98 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
f282d854 f59fbb3d 000007e8 00000000 00000000 klif+0x10f98
f282dd30 804df7ec 0012feec 000007e8 00000000 safeboxkrnl+0xab3d
f282dd30 7c92e4f4 0012feec 000007e8 00000000 nt!KiFastCallEntry+0xf8
0012ff1c 00000000 00000000 00000000 00000000 0x7c92e4f4
 
STACK_COMMAND:  kb
[COLOR=blue]FOLLOWUP_IP: [/COLOR]
[COLOR=blue]irp3!MyDeviceIoControl+b4 [e:\mydriver\irp\3\sys\irp3.c @ 152][/COLOR]
[COLOR=blue]f7d87a74 83c40c          add     esp,0Ch[/COLOR]
FAULTING_SOURCE_CODE:  
   148:   }
   149:   [COLOR=red]pMyData[/COLOR] = CONTAINING_RECORD(RemoveHeadList(&ProcessListHead),
   150:          MYPROCESSDATA,
   151:          myListEntry);
[COLOR=blue]>  152:   DbgPrint("[Aliwy] %wZ(%.8X)\n", &pMyData->usImageName, pMyData);[/COLOR]
   153:   
   154:   RtlInitAnsiString(&asData, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
   155:   RtlUnicodeStringToAnsiString(&asData, &pMyData->usImageName, TRUE);
   156:   outData = (PCHAR)asData.Buffer;
   157:   outDataLen = asData.Length + 1;
 
SYMBOL_STACK_INDEX:  4
SYMBOL_NAME:  irp3!MyDeviceIoControl+b4
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: irp3
IMAGE_NAME:  irp3.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  49b52e86
FAILURE_BUCKET_ID:  0x50_irp3!MyDeviceIoControl+b4
BUCKET_ID:  0x50_irp3!MyDeviceIoControl+b4
Followup: MachineOwner
---------

★★★★★★★★★★★★★★★

代码中的pMyData被定义成全局变量。
自己分析了一下,好像是DbgPrint最终在调用_output函数时读取fe1e3e30时发生错误:
 
80507bb6 668b03          mov     ax,word ptr [ebx]        ds:0023:fe1e3e30=????

代码中的
 
DbgPrint("[Aliwy] %wZ(%.8X)\n", &pMyData->usImageName, pMyData);

如果不用%wZ打印UnicodeString,而只用%.8X打印pMyData指针地址,却又正常。
IRQL一直是在PASSIVE_LEVEL。

请大家点拨一下,下一步应该如何分析?
谢谢!!!

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (12)
雪    币: 290
活跃值: (20)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
2
pMyData->usImageName
本来就是一个字符串指针吧
你再取地址不知道指到哪去了
2009-3-13 00:46
0
雪    币: 26
活跃值: (28)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
typedef struct _MYPROCESSDATA
{
LIST_ENTRY myListEntry;
UNICODE_STRING usImageName; //线程名称
} MYPROCESSDATA, *PMYPROCESSDATA;

PMYPROCESSDATA pMyData;      //全局变量
LIST_ENTRY ProcessListHead;  //进程链表头
2009-3-13 01:15
0
雪    币: 193
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
不懂驱动,不过碰到这种情况的话,我会立刻看一下是不是打印进程名的时候溢出了

按照pMyData->usImageName里面的长度自己手动输出一下看结果如何。
2009-3-13 09:34
0
雪    币: 26
活跃值: (28)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
没有溢出,我看过了。
2009-3-13 10:03
0
雪    币: 229
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
是否没有初始化UNICODE_STRING usImageName?

如果初始化了,

动态调试,看UNICODE_STRING usImageName是否正常
2009-3-13 10:09
0
雪    币: 218
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
NaX
7
首先如果你的进程名称是从EPROCESS取得,那么它是Ansi而不是宽字符。第二,DbgPrint不能传入UNICODE结构,而应该传入宽字符指针。
2009-3-13 10:36
0
雪    币: 193
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
如果能确定参数完全正确,一点问题都没有的话,msdn还有这样的解释:


DbgPrint

In Microsoft Windows Server 2003 and earlier versions of Windows, the DbgPrint routine sends a message to the kernel debugger. In Windows Vista and later versions of Windows, DbgPrint sends a message only if certain conditions apply.

ULONG DbgPrint( IN PCHAR Format, . . . . [arguments] );Parameters
Format
Specifies a pointer to the format string to print. The Format string supports all the printf-style formatting codes. However, the Unicode format codes (%C, %S, %lc, %ls, %wc, %ws, and %wZ) can only be used with IRQL = PASSIVE_LEVEL.

arguments
Specifies arguments for the format string, as in printf.


不知道是不是这儿的问题?
2009-3-13 10:54
0
雪    币: 331
活跃值: (57)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
9
全局变量在可丢弃内存就可能发生概率性蓝屏,我一般不用INIT节
2009-3-13 11:45
0
雪    币: 26
活跃值: (28)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
只要退出卡巴就一切正常。开着卡巴,偶尔也正常,或者乱码,再或者就蓝屏。
2009-3-13 15:29
0
雪    币: 26
活跃值: (28)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
但有时候必须要用到全局变量,怎么办呢?
2009-3-13 15:29
0
雪    币: 26
活跃值: (28)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
今天在本机测试,又一次蓝。
 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D5, {8b362f80, 0, bae62933, 0}
Page 18594 not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for safeboxkrnl.sys
PEB is paged out (Peb.Ldr = 7ffdd00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdd00c).  Type ".hh dbgerr001" for details
Probably caused by : klif.sys
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 8b362f80, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: bae62933, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Page 18594 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdd00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdd00c).  Type ".hh dbgerr001" for details
READ_ADDRESS:  8b362f80 Special pool
FAULTING_IP: 
irp3!MyDeviceIoControl+1a3 [f:\mydrivers\irp\3\sys\irp3.c @ 179]
bae62933 8b4218          mov     eax,dword ptr [edx+18h]
MM_INTERNAL_CODE:  0
IMAGE_NAME:  klif.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4981a9d4
MODULE_NAME: klif
FAULTING_MODULE: bae62000 irp3
DEFAULT_BUCKET_ID:  CODE_CORRUPTION
BUGCHECK_STR:  0xD5
PROCESS_NAME:  irp3exe.exe
TRAP_FRAME:  ba0965d8 -- (.trap 0xffffffffba0965d8)
ErrCode = 00000000
eax=e31692a8 ebx=8b362f00 ecx=6c350006 edx=8b362f68 esi=8a229730 edi=87fb25e0
eip=bae62933 esp=ba09664c ebp=ba0966f4 iopl=0         nv up ei pl zr na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010247
irp3!MyDeviceIoControl+0x1a3:
bae62933 8b4218          mov     eax,dword ptr [edx+18h] ds:0023:8b362f80=????????
Resetting default scope
LAST_CONTROL_TRANSFER:  from 8052137a to 804faf43
STACK_TEXT:  
ba096558 8052137a 00000050 8b362f80 00000000 nt!KeBugCheckEx+0x1b
ba0965c0 80545588 00000000 8b362f80 00000000 nt!MmAccessFault+0x9a8
ba0965c0 bae62933 00000000 8b362f80 00000000 nt!KiTrap0E+0xd0
ba0966f4 804f019f 87fb25e0 8b362f68 806e7428 irp3!MyDeviceIoControl+0x1a3 [f:\mydrivers\irp\3\sys\irp3.c @ 179]
ba096704 80659128 880163f8 806e7410 8b362f68 nt!IopfCallDriver+0x31
ba096728 80580982 8b362fd8 880163f8 8b362f68 nt!IovCallDriver+0xa0
ba09673c 805817f7 87fb25e0 8b362f68 880163f8 nt!IopSynchronousServiceTail+0x70
ba0967d8 8057a274 000007e8 00000000 00000000 nt!IopXxxControlFile+0x5c5
ba09680c b7183830 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
ba096854 b7049eb7 000007e8 00000000 00000000 klif+0x10830
ba096d30 8054262c 0012feec 000007e8 00000000 safeboxkrnl+0xaeb7
ba096d30 7c92e4f4 0012feec 000007e8 00000000 nt!KiFastCallEntry+0xfc
0012ff1c 00000000 00000000 00000000 00000000 0x7c92e4f4

STACK_COMMAND:  kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    804ebf84-804ebf88  5 bytes - nt!FsRtlCheckLockForReadAccess
 [ 8b ff 55 8b ec:e9 5f c2 ca 36 ]
    804f0912-804f0916  5 bytes - nt!IoIsOperationSynchronous (+0x498e)
 [ 8b ff 55 8b ec:e9 8b 7c ca 36 ]
    8050548c-8050548f  4 bytes - nt!KiServiceTable+2c (+0x14b7a)
 [ 3e cb 5e 80:72 1a 18 b7 ]
    805054c4-805054c7  4 bytes - nt!KiServiceTable+64 (+0x38)
 [ f8 d4 5b 80:1e 20 18 b7 ]
    805054dc-805054df  4 bytes - nt!KiServiceTable+7c (+0x18)
 [ b4 55 5a 80:82 3a 18 b7 ]
    805054f4-805054f7  4 bytes - nt!KiServiceTable+94 (+0x18)
 [ 84 a0 57 80:38 34 18 b7 ]
    80505504-80505507  4 bytes - nt!KiServiceTable+a4 (+0x10)
 [ 92 47 62 80:e8 11 18 b7 ]
    80505530-80505537  8 bytes - nt!KiServiceTable+d0 (+0x2c)
 [ c2 49 5c 80 e0 1f 5d 80:e4 53 18 b7 1a 1e 18 b7 ]
    8050555c-8050555f  4 bytes - nt!KiServiceTable+fc (+0x2c)
 [ 22 4c 62 80:2a 16 18 b7 ]
    80505564-8050556b  8 bytes - nt!KiServiceTable+104 (+0x08)
 [ f2 4d 62 80 4a a2 57 80:2a 18 18 b7 44 37 18 b7 ]
    80505570-80505573  4 bytes - nt!KiServiceTable+110 (+0x0c)
 [ d0 ef 5b 80:f0 58 18 b7 ]
    8050557c-8050557f  4 bytes - nt!KiServiceTable+11c (+0x0c)
 [ d2 4f 62 80:40 19 18 b7 ]
    80505584-80505587  4 bytes - nt!KiServiceTable+124 (+0x08)
 [ 3c 52 62 80:a8 19 18 b7 ]
    805055b0-805055b3  4 bytes - nt!KiServiceTable+150 (+0x2c)
 [ 7e a2 57 80:fa 35 18 b7 ]
    805055e4-805055e7  4 bytes - nt!KiServiceTable+184 (+0x34)
 [ 3a 51 58 80:a8 4e 18 b7 ]
    80505630-80505633  4 bytes - nt!KiServiceTable+1d0 (+0x4c)
 [ 82 b1 57 80:94 32 18 b7 ]
    8050563c-8050563f  4 bytes - nt!KiServiceTable+1dc (+0x0c)
 [ 64 5b 62 80:4a 13 18 b7 ]
    80505648-8050564b  4 bytes - nt!KiServiceTable+1e8 (+0x0c)
 [ 08 c4 5c 80:40 1c 18 b7 ]
    80505654-80505657  4 bytes - nt!KiServiceTable+1f4 (+0x0c)
 [ d2 b3 5a 80:0e 54 18 b7 ]
    80505660-80505663  4 bytes - nt!KiServiceTable+200 (+0x0c)
 [ 94 c6 5c 80:96 1b 18 b7 ]
    805056e0-805056e7  8 bytes - nt!KiServiceTable+280 (+0x80)
 [ 8a 5e 62 80 e0 38 62 80:10 1a 18 b7 14 17 18 b7 ]
    80505724-80505727  4 bytes - nt!KiServiceTable+2c4 (+0x44)
 [ ca 29 62 80:f2 14 18 b7 ]
    80505730-80505733  4 bytes - nt!KiServiceTable+2d0 (+0x0c)
 [ 3e 22 5d 80:10 51 18 b7 ]
    80505764-80505767  4 bytes - nt!KiServiceTable+304 (+0x34)
 [ 3e 68 62 80:6a 0e 18 b7 ]
    80505780-80505783  4 bytes - nt!KiServiceTable+320 (+0x1c)
 [ 5a 3d 5a 80:0c 43 18 b7 ]
    80505790-80505793  4 bytes - nt!KiServiceTable+330 (+0x10)
 [ 4a 61 62 80:cc 0f 18 b7 ]
    80505798-8050579f  8 bytes - nt!KiServiceTable+338 (+0x08)
 [ 82 59 5d 80 46 62 62 80:c0 57 18 b7 68 0c 18 b7 ]
    805057a8-805057ab  4 bytes - nt!KiServiceTable+348 (+0x10)
 [ 48 4d 5a 80:24 39 18 b7 ]
    805057b4-805057b7  4 bytes - nt!KiServiceTable+354 (+0x0c)
 [ 02 27 5d 80:18 1f 18 b7 ]
    80505814-80505817  4 bytes - nt!KiServiceTable+3b4 (+0x60)
 [ f6 15 5c 80:a2 4f 18 b7 ]
    80505820-80505823  4 bytes - nt!KiServiceTable+3c0 (+0x0c)
 [ c6 03 61 80:38 54 18 b7 ]
    8050583c-8050583f  4 bytes - nt!KiServiceTable+3dc (+0x1c)
 [ 18 2d 62 80:a0 13 18 b7 ]
    80505854-8050585f  12 bytes - nt!KiServiceTable+3f4 (+0x18)
 [ 4a 5a 5d 80 bc 58 5d 80:1c 55 18 b7 48 56 18 b7 ]
    80505864-80505867  4 bytes - nt!KiServiceTable+404 (+0x10)
 [ aa 39 5d 80:ea 1c 18 b7 ]
    805058b4-805058b7  4 bytes - nt!KiServiceTable+454 (+0x50)
 [ 94 53 5b 80:5c 1d 18 b7 ]
    80532ecc-80532ed1  6 bytes - nt!DebugPrint (+0x2d618)
 [ 8b ff 55 8b ec ff:ff 25 8c dd b4 b6 ]
    80542615-80542619  5 bytes - nt!KiFastCallEntry+e5 (+0xf749)
 [ 2b e1 c1 e9 02:e9 b2 d3 b0 36 ]
    8054261e-80542621  4 bytes - nt!KiFastCallEntry+ee (+0x09)
 [ 34 31 56 80:f4 cc 05 b7 ]
    805455c6-805455c9  4 bytes - nt!KiTrap0E+10e (+0x2fa8)
 [ 28 26 54 80:0d fa 04 b7 ]
    805a2cb2-805a2cb8  7 bytes - nt!KeUserModeCallback
 [ 6a 30 68 08 aa 4d 80:e9 21 15 aa 36 90 90 ]
192 errors : !nt (804ebf84-805a2cb8)
FOLLOWUP_NAME:  MachineOwner
MEMORY_CORRUPTOR:  PATCH_klif
FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_PATCH_klif
BUCKET_ID:  MEMORY_CORRUPTION_PATCH_klif
Followup: MachineOwner
---------
2009-3-13 16:20
0
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
我也遇到这样的问题了,**,大家来帮帮忙啊
2009-4-7 10:27
0
游客
登录 | 注册 方可回帖
返回
//